java-spring-jaeger icon indicating copy to clipboard operation
java-spring-jaeger copied to clipboard
verified publisher icon opentracing-contrib

Veracode is reporting a security flaw in libthrift-0.13.0.jar a dependency of opentracing-spring-jaeger-web-starter 3.3.1

Open ghevge opened this issue 4 years ago • 6 comments

Veracode is reporting a the following security flaw in libthrift-0.13.0.jar a dependency of opentracing-spring-jaeger-web-starter 3.3.1:

CVE-2020-13949
Denial Of Service (DoS): libthrift is vulnerable to denial of service (DoS). A malicious user can pass a short message to the system to allocate more memory than it has, causing the system to run out of memory.

Any chance to have this library bumped up ? There are newer version available. The problem was resolved in libthrift-0.14.0.jar +

I've tried to do this upgrade manually at my project .pom level, but it seems opentracing-spring-jaeger-web-starter 3.3.1 tries to call a method that is not available anymore in libthrift-0.14.0.jar.

Thanks

ghevge avatar Jul 05 '21 17:07 ghevge

+1

nosheenzaza avatar Jul 08 '21 03:07 nosheenzaza

This has been bumped in version 3.3.3 but has not been released to MVN Central - seemingly because of a CICD failure(?)

Harmelodic avatar Aug 08 '21 23:08 Harmelodic

Any progress? opentracing-spring-jaeger-cloud-starter:3.3.1 is still the latest version on Maven Central.

lathspell avatar Nov 10 '21 13:11 lathspell

Also interested in the progression of this issue. Does anyone know of a smart workaround to implement libthrift 0.14.0+ while still using opentracing-spring-jaeger-web-starter 3.3.1?

Lenasenap avatar Nov 23 '21 09:11 Lenasenap

We also have the same issue with libthrift-0.13.0.jar, org.owasp:dependency-check reports CVE-2020-13949 . I have added the following two dependencies manually and that seems to work:

   implementation("org.apache.thrift:libthrift:0.15.0")
   implementation("io.jaegertracing:jaeger-thrift:1.7.0")

ajurge avatar Jan 04 '22 14:01 ajurge

I also had the same issue, reported on Nexus IQ and managed to get version version 3.3.1 working by including an updated jaeger client my project pom.xml:

        <dependency>
            <groupId>io.opentracing.contrib</groupId>
            <artifactId>opentracing-spring-jaeger-web-starter</artifactId>
            <version>3.3.1</version>
        </dependency>
        <dependency>
            <groupId>io.jaegertracing</groupId>
            <artifactId>jaeger-client</artifactId>
            <version>1.8.0</version>
        </dependency>

Additional Notes from #133 : As mentioned by @Harmelodic, the recommendation is to move to OpenTelemetry. I just wanted to share for those who still have a legacy jaeger backend without support for OpenTelemetry client or for whatever reason need to use the jaeger client for now. This overrides the problematic jaeger-client included in 3.3.1. Kindly consider that this is a temporary workaround.

leslion avatar Jun 21 '22 20:06 leslion